Permissions and security

Your Pista account holds customer records, payment history, pricing, and your full repair history. Keeping it secure is not paranoia, it is good business. The good news is that the protections are built in: role-based permissions limit what each person sees, and account-level controls lock down how people sign in. Here is how to put both to work.

How permissions protect your data

Permissions follow the role you assign each user, so people only see what their job requires.

1. A Technician sees the job board, inspections, and labor entry, but never pricing, margins, or payments.
2. A Service Advisor builds tickets, takes payment, and messages customers, but cannot touch subscription or payouts.
3. Owner / Admin is the only role that reaches billing, bank payout settings, and pricing matrices.

If you ever need to fine-tune who sees owner-level financial reports, do it per user in Account, then Users. See Adding users and setting roles.

Good to know: Hiding pricing from technicians is not just about secrecy. It keeps the bay focused on the work and keeps your margin data out of conversations it does not belong in.

Lock down account sign-in

Turn on two-factor authentication

1. Go to Account, then Security.
2. Enable Two-Factor Authentication (2FA).
3. Pair an authenticator app or your phone number. From then on, sign-in needs a one-time code on top of the password.

Turn this on for every Owner and Admin at minimum. These are the accounts that can move money.

Require it for your team

1. In Security, toggle Require 2FA for all users.
2. Each user is prompted to set up 2FA the next time they log in. Nobody gets locked out, they just complete one extra step.

Manage active sessions

1. In Account, then Security, open Active Sessions.
2. You will see every device currently logged in, with location and last-active time.
3. Click Sign Out next to any device you do not recognize, or use Sign Out Everywhere to reset all sessions at once.

This is the fastest fix if a shared front-counter tablet went home with someone or a phone went missing.

When someone leaves the shop

1. Go to Account, then Users, and Deactivate the person immediately. This kills their login while keeping their work history intact.
2. If they had Owner or Admin access, also review Active Sessions and sign out any device tied to them.
3. Rotate any shared credentials they may have known, like a shop email password used for integrations.

Tips

• Require 2FA shop-wide. A repair order platform with payments attached is a real target, and a one-time code stops the most common attacks cold.
• Use the lowest role that lets each person do their job. It is easy to grant more later and a hassle to clean up after a breach.
• Review Active Sessions after losing or replacing a device, and run a quick user-list audit every quarter.

A few minutes in Security today saves you a very bad afternoon later.